Dr. Christian Schröder

Partner

Düsseldorf


Read full biography at www.orrick.com

Dr. Christian Schröder heads Orrick's IP/IT & Data Privacy Practice Group in Germany in Orrick’s Düsseldorf Office. Christian advises medium sized (Mittelstand) companies to large multinationals on IP, Unfair and Deceptive Trade Practices, E-Commerce, IT and Data Privacy/Data Protection.

Christian provides IP/IT advice in M&A transactions and advises on IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues as well as on hard and software license and IT project agreements.

As a core member of Orrick's global Cybersecurity and Data Privacy team, Christian has a special focus on data privacy/data protection matters. In particular, Christian advises on a risk-based approach to privacy, on implementing databases and new software applications, in particular, cloud based solutions. He advises on data privacy contracts, internal data privacy policies, binding corporate rules, user agreements on BYOD, whistleblowing schemes, e-discovery, security breaches, and intra-group data sharing on a national and international basis. He also regularly defends companies against unfair access to their know-how by competitors and against unfair poaching of customers and employees.

Recent Engagements:

Data Privacy / Cybersecurity

  • GDPR Compliance Programs: Advising various mid to large sized multinational companies on GDPR compliance, understanding international data flows, drafting data sharing agreements, setting up compliance structure and privacy-by-design programs, assisting with Privacy Impact Assessments, and revising data privacy policies. Some of these clients are among the worldwide leading technology companies.

  • Connected Cars: Advising global tech companies and car manufacturers on data privacy implications with Connected Cars.

  • International Data Transfer Mechanisms: Developing and implementing enterprise-wide compliance programs, including (online) customer and employee privacy policies, cookie compliance, terms of service, and end user licensing agreements relating to core privacy and related consumer-protection issues.

  • Employee Monitoring and Works Council Agreements: Advising several global companies in connection with the implementation of employee monitoring schemes and cross-border data flows, international transfer (both intra-group transfers and third-party transfers) of employee data from countries outside of Europe to a service provider in Europe (and vice versa) and, developing a global HR data privacy approach; drafting and representing clients in works council agreements relating to the implementation and use of IT applications.

  • Representation before Supervisory Authorities: Representing a global event organizer in supervisory procedures regarding data privacy matters.

  • Vendor Data Processing Agreements: Advising several global tech companies on tailored data processing agreements which include cloud services with various sub-processors.

  • Data Privacy and E-Commerce: Advising several international companies on data privacy and e-commerce law matters, inter alia on using personal data for direct marketing, and collecting and using personal data in the online environment.

  • Travel and Ed-Tech Data Privacy: Advising leading travel and Ed-Tech companies on data privacy issues specific to their businesses.

  • Advising Tech Start-ups on Data Privacy: Advising numerous mid-sized start-ups from the U.S. and Germany regarding IT and data privacy matters, i.e. to develop marketable products and services that align with consumer privacy and data protection principles. Also, drafting privacy policies, terms and conditions, and vendor contracts, as well as evaluating cutting-edge and disruptive technologies and businesses on privacy compliance and consumer protection concepts.

  • Connected Cars: Advising a car manufacturer on connected cars and international data transfers.

  • Cybersecurity and Data Breach Incident Plans: Counseling major computer software companies on Cybersecurity and incident plans.

  • Strategic Cloud Computing Advice: Providing strategic advice to key cloud computing market players in relation to data protection and information security issues.

  • Post-M&A Integration Issues: Integrating a German affiliate into the group's internal data sharing/access schemes and, in this context, conducting challenging negotiations with IT providers and the affiliate's works council (Betriebsrat).


Information Technology

  • IT Licensing: Advising a leading U.S. software manufacturer on its EU and German software licensing terms & conditions and regularly conducting negotiations with its customers.

  • IT Licensing: Advising a U.S. cloud software provider on its German licensing terms & conditions.

  • Software Joint Venture: Advising a leading German market platform on a Joint Venture with a software manufacturer.


Unfair Trade and IP

  • Unfair Trade Practices Litigation: Representing several software and e-commerce companies in unfair competition litigation, e.g. regarding unfair advertising and breach of consumer protection regulations.

  • Trademark Prosecution and Litigation: Advising various small to large national and international companies on trademark prosecution and litigation.


M&A Technology/Joint Venture Transactions


Other

  • Christian assisted several representative clients, including Flexera Software, Microsoft, NVIDIA, Sensata Technologies, and SIG Combibloc.


Posts by: Christian Schröder

European Court Restricts Employer Access to Employee’s Private Communications

(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)

With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.

Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE

Orrick Launches Automated GDPR Readiness Tool for Companies

Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE

EU Proposes Overhaul to Privacy and Electronic Communications

NIS Directive

January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.

The draft Regulation, which goes beyond the scope of the current e-Privacy Directive in significant ways, would apply directly without the need for Member States to implement local law in the same way as the General Data Protection Regulation (“GDPR”). Like the e-Privacy Directive, the Regulation sets out rules on, among others, the use and confidentiality of electronic communications and metadata, use of cookies and direct marketing by electronic means.

The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).

READ MORE

Data Protection Officer and IT Manager – Two Jobs That Do Not Match

Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.

READ MORE

10 German Data Privacy Supervisory Authorities Investigating Potential Unlawful International Data Transfers

German Data Privacy Supervisory Authorities Investigating Potential Unalwful International Data Transfers Global Data Transfer Map

According to a press release of the Data Protection Supervisory Authority in the Land Mecklenburg Vorpommern of November 3, German supervisory authorities have randomly selected 500 companies in Germany and sent them requests for information on their international data transfers. The German supervisory authorities are undertaking this coordinated action in order to increase awareness among companies of the need to ensure data privacy compliance of international data transfers.

READ MORE

Is Your Data Safe? National Cybersecurity Awareness Month

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.

Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.

READ MORE

First Privacy Shield Guidelines for Companies published by German DPA

First EU-U.S. Privacy Shield Guidelines by German DPA

On September 12, 2016, the Data Protection Authority of the German Federal State of North Rhine-Westphalia (“DPA NRW”) became one of the first EU data protection authorities to issue guidance on the implementation of the Privacy Shield. Although the guidance is primarily directed at German companies that engage U.S. providers (any third party service providers), U.S. providers should understand the guidance to better understand what German and EU customers may ask of them in addition to EU/U.S. Privacy Shield certification.

Background

 Since August 1, 2016, U.S. companies have been able to certify for the EU-U.S. Privacy Shield (“Privacy Shield”) for personal data transfers from the EU to the U.S.  Companies electing to certify under the Privacy Shield with the U.S. Department of Commerce will be recognized by the EU as providing an adequate level of protection for personal data transferred from the EU to the U.S. The Privacy Shield, which was adopted on July 12, 2016 by the European Commission, replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.  Certifying under the Privacy Shield requires U.S. entities to undertake certain steps and assessments to verify that they can comply with the Privacy Shield principles for the data that they transfer from the EU, such as having a Privacy Shield-compliant privacy policy, giving people choice about how their data will be used, implementing data protection controls, selecting a third party to adjudicate individual privacy complaints, and verifying that vendors and service providers they allow to access the data also follow equivalent principles.  Failure to comply with the principles can subject the companies to investigations and liability from the FTC (or Department of Transportation for entities regulated by that agency).

The DPA NRW raised the following issues that U.S. companies should consider:

1. Privacy Shield Alone May Not Be Sufficient For Transfers of Personal Data

Pursuant to the guidance, European companies considering transfers of personal data abroad must make a two-step assessment of data privacy compliance.

First, there must be a statutory basis for the transfer that is consistent with the local law of the concerned EU Member State, and as of May 2018, also with the EU General Data Protection Regulation. Second, the personal data held by EU companies should only be transferred to countries with an adequately high level of data protection comparable to the protection in the EU.

Privacy Shield, however, only addresses the latter. More specifically, the EU Commission’s adequacy decision of July 12, 2016 held that U.S. companies certified under the Privacy Shield provide an adequate level of protection.

Practically, what does this mean? In addition to the Privacy Shield certification, U.S. companies may need to enter into a data processing agreement with their EU partner that satisfies the relevant EU Member State statutory provisions that apply to data processing agreements. One example of such statutory provisions is Section 11 of the German Federal Data Protection Act, which contains fairly detailed requirements on the content of data processing agreements. In particular, it requires both parties to agree on rather specific technical and organizational measures that the processor has implemented to protect the security of the data to be processed.

2. Data Controllers Transferring Personal Data under the Privacy Shield Have Additional Duties

Under the guidance, even if a U.S. company is Privacy Shield certified, data controllers are still responsible for independently verifying that data privacy protections are upheld. That means that before transferring personal data to a Privacy Shield certified U.S. company the data controllers must confirm that:

  • the Privacy Shield certification actually exists;
  • the Privacy Shield certification is up to date (the certification has to be renewed annually); and
  • the personal data the data controller intends to transfer is covered by the certification.

Thus, U.S. companies should expect that data controllers will ask the U.S. company questions regarding these points, and likely require the U.S. company to attest that it complies with its privacy obligations with respect to the concerned data subjects. For verification of the status of a Privacy Shield certification, the U.S. Department of Commerce keeps and updates a list of certified companies https://www.privacyshield.gov/list.

For U.S. companies that are using the nine month grace period for compliance with the onward transfer principle of the Privacy Shield, the guidance indicates that the EU data controller should have the U.S. company confirm when it has completed compliance with the onward transfer principle. For U.S. companies, this will underscore the importance of reviewing, and where necessary updating, vendor and service provider contracts to ensure compliance with the Privacy Shield’s onward transfer principle by, among other things, contractually restricting the vendor or service provider’s data processing activities and requiring protection consistent with the Privacy Shield Principles.

3. Employee Data is Special

The Privacy Shield contains special provisions regarding transfers of employee data. If the Privacy Shield certification covers employee data, the company must agree to cooperate and comply with the EU DPAs with respect to such data. This means that the use of such data will still remain subject to EU law, and complaints from data subjects about the use of the data will be adjudicated by the EU DPAs.  In addition, the following principles must also be followed by the EU companies transferring employee data to the United States:

  • The Privacy Shield Principle of choice may be impacted by generally applicable regulations from EU Member States that do not allow for the continued processing of employee data for purposes other than the purpose for which they were collected. EU data controllers (e.g. in general, the employing entities) may further restrict U.S. companies from such uses and require contractual restrictions.
  • U.S. companies and/or the data transferring EU entity (employer) need to respect an employee’s exercise of his/her right of choice against processing their personal data and must not disadvantage the employee in any way.
  • If specific protection for employee data is needed, appropriate measures have to be taken, e.g. pseudonymization or anonymization of data should be considered.

4. Privacy Shield May Not Be a Long Term Solution.

Despite raising various concerns about the EU/U.S. Privacy Shield, the DPA NRW agreed to give the program one year to address those concerns. After this initial year, the Article 29 Working Party plans to review whether its concerns have been addressed, and if the Privacy Shield is effective and functioning. Depending on the outcome of this annual assessment, the DPA NRW reserves the right to reevaluate and potentially stop data transfers under the Privacy Shield. Accordingly, U.S. companies relying on the Privacy Shield should carefully weigh the uncertainty it offers as a long term solution.

At the same time, the DPA NRW guidance points out that the outcome of this assessment will also have an impact on other methods of transatlantic data flows such as binding corporate rules and EU model contractual clauses which are currently likewise under scrutiny.

For more details on the Privacy Shield, or for help exploring whether it is appropriate for your company, please contact any member of Orrick’s Cybersecurity and Privacy team.

EU-U.S. Privacy Shield: Companies Can Now Certify

Privacy Shield

As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.

This post gives a high level summary of what companies should consider with the Privacy Shield.

Background:

On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law.  The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.

READ MORE

EU-U.S. Privacy Shield launched by European Commission

EU-US Privacy Shield

After receiving the approval of the EU Member States, through the Article 31 Committee, last Friday, the European Commission has today, July 12th, 2016, formally adopted the Adequacy Decision necessary to implement the EU-U.S. Privacy Shield (the Decision).

The Decision will be notified to Member States today and, as such, will be effective immediately.

The adoption process had stalled in recent months due to ongoing concerns about the access to personal data by public authorities in the U.S.  You can read about some of these concerns in our previous blog post.

The European Commission has received further commitments from the U.S. and has agreed clarifications and improvements on the bulk collection of data, strengthening the Ombudsperson mechanism and more explicit obligations on companies as regards limits on retention and onward transfers.  Those commitments and clarifications have been sufficient to allay the EU member states, at least for now.

The Privacy Shield is subject to an annual review mechanism.

READ MORE

Germany Issues Privacy Guidelines for Employer Access to Employee Email and Internet Use

employee email

Can employers look at the company email accounts of employees, such as when they do not show up to work? Can employers monitor employee Internet use during working hours? Can employers read employee emails if they use the company email account for personal purposes?

Companies face these and many more questions about employer-provided email accounts and Internet access every day. To give employers guidance on this, the German Data Protection Authorities (“DPAs”) published “privacy guidelines” about using email and the Internet at the workplace. These guidelines provide essential information, practical tips and helpful advice on this topic.

READ MORE